chore: update access control policy & sql review policy (#47)

ecmadao · web-flow · commit 05ca1f84ddae · 2023-01-31T20:45:33.000+08:00
* feat: support policy data source

* chore: support CRUD policy resource

* chore: support config sql review rules

* chore: update docs

* chore: update version

* chore: update docs

* chore: update docs

* chore: update docs

* chore: optimize

* chore: update

* chore: update version

* chore: add tests

* chore: update access control policy &amp; sql review policy
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-0.0.7-alpha.6
+0.0.7-alpha.7
diff --git a/api/common.go b/api/common.go
@@ -9,3 +9,23 @@ const (
 	// Deleted is the state for an removed row.
 	Deleted State = "DELETED"
 )
+
+// EngineType is the type of the instance engine.
+type EngineType string
+
+const (
+	// EngineTypeMySQL is the database type for MYSQL.
+	EngineTypeMySQL EngineType = "MYSQL"
+	// EngineTypePostgres is the database type for POSTGRES.
+	EngineTypePostgres EngineType = "POSTGRES"
+	// EngineTypeTiDB is the database type for TiDB.
+	EngineTypeTiDB EngineType = "TIDB"
+	// EngineTypeSnowflake is the database type for SNOWFLAKE.
+	EngineTypeSnowflake EngineType = "SNOWFLAKE"
+	// EngineTypeClickHouse is the database type for CLICKHOUSE.
+	EngineTypeClickHouse EngineType = "CLICKHOUSE"
+	// EngineTypeMongoDB is the database type for MongoDB.
+	EngineTypeMongoDB EngineType = "MONGODB"
+	// EngineTypeSQLite is the database type for SQLite.
+	EngineTypeSQLite EngineType = "SQLITE"
+)
diff --git a/api/instance.go b/api/instance.go
@@ -1,25 +1,5 @@
 package api
 
-// EngineType is the type of the instance engine.
-type EngineType string
-
-const (
-	// EngineTypeMySQL is the database type for MYSQL.
-	EngineTypeMySQL EngineType = "MYSQL"
-	// EngineTypePostgres is the database type for POSTGRES.
-	EngineTypePostgres EngineType = "POSTGRES"
-	// EngineTypeTiDB is the database type for TiDB.
-	EngineTypeTiDB EngineType = "TIDB"
-	// EngineTypeSnowflake is the database type for SNOWFLAKE.
-	EngineTypeSnowflake EngineType = "SNOWFLAKE"
-	// EngineTypeClickHouse is the database type for CLICKHOUSE.
-	EngineTypeClickHouse EngineType = "CLICKHOUSE"
-	// EngineTypeMongoDB is the database type for MongoDB.
-	EngineTypeMongoDB EngineType = "MONGODB"
-	// EngineTypeSQLite is the database type for SQLite.
-	EngineTypeSQLite EngineType = "SQLITE"
-)
-
 // InstanceMessage is the API message for an instance.
 type InstanceMessage struct {
 	UID          string               `json:"uid"`
diff --git a/api/policy.go b/api/policy.go
@@ -128,6 +128,7 @@ type PolicyMessage struct {
 type PolicyPatchMessage struct {
 	InheritFromParent *bool      `json:"inheritFromParent"`
 	Type              PolicyType `json:"type"`
+	Enforce           *bool      `json:"enforce"`
 
 	// The policy payload
 	DeploymentApprovalPolicy *DeploymentApprovalPolicy `json:"deploymentApprovalPolicy"`
diff --git a/api/sql_review.go b/api/sql_review.go
@@ -156,5 +156,6 @@ type NumberTypeRulePayload struct {
 type SQLReviewRule struct {
 	Type    SQLReviewRuleType  `json:"type"`
 	Level   SQLReviewRuleLevel `json:"level"`
+	Engine  EngineType         `json:"engine"`
 	Payload string             `json:"payload"`
 }
diff --git a/docs/resources/policy.md b/docs/resources/policy.md
@@ -163,7 +163,7 @@ Access Control Policy is the policy configuration for database access control. I
 Must set the `access_control_policy` if the policy type if `ACCESS_CONTROL`. It contains following attributes:
 
 - `disallow_rules` (List of Object) The object contains following attribute:
-  - `full_database` (Boolean) will apply to the full database.
+  - `all_databases` (Boolean) will apply to all databases.
 
 For example:
 
@@ -183,7 +183,7 @@ resource "bytebase_policy" "access_control" {
 
   access_control_policy {
     disallow_rules {
-      full_database = true
+      all_databases = true
     }
   }
 }
@@ -194,12 +194,6 @@ resource "bytebase_policy" "access_control" {
   environment = bytebase_environment.prod.resource_id
   instance    = "<instance resource id for the database>"
   database    = "employee"
-
-  access_control_policy {
-    disallow_rules {
-      full_database = true
-    }
-  }
 }
 ```
 
@@ -219,6 +213,10 @@ The rule should a object contains:
   - `ERROR`
   - `WARNING`
   - `DISABLED`
+- `engine` (String) The database engine for the rule. Should be one of:
+  - `MYSQL`
+  - `POSTGRES`
+  - `TIDB`
 - `payload` (Object) The payload for SQL review rule.
 
 Please check the doc for details: https://www.bytebase.com/docs/sql-review/review-rules/supported-rules
@@ -233,27 +231,31 @@ resource "bytebase_policy" "sql_review" {
   sql_review_policy {
     title = "SQL Review Policy for Test environment"
     rules {
-      type  = "statement.select.no-select-all"
-      level = "ERROR"
+      type   = "statement.select.no-select-all"
+      level  = "ERROR"
+      engine = "MYSQL"
     }
     rules {
-      type  = "naming.table"
-      level = "ERROR"
+      type   = "naming.table"
+      level  = "ERROR"
+      engine = "POSTGRES"
       payload {
         max_length = 99
         format     = "^[a-z]+$"
       }
     }
     rules {
-      type  = "column.required"
-      level = "WARNING"
+      type   = "column.required"
+      level  = "WARNING"
+      engine = "TIDB"
       payload {
         list = ["id", "created_ts", "updated_ts"]
       }
     }
     rules {
-      type  = "column.auto-increment-initial-value"
-      level = "DISABLED"
+      type   = "column.auto-increment-initial-value"
+      level  = "DISABLED"
+      engine = "MYSQL"
       payload {
         number = 1
       }
@@ -288,8 +290,9 @@ resource "bytebase_policy" "sql_review" {
   sql_review_policy {
     title = "SQL Review Policy for Test environment"
     rules {
-      type  = "naming.table"
-      level = "ERROR"
+      type   = "naming.table"
+      level  = "ERROR"
+      engine = "MYSQL"
       payload {
         max_length = 99
         format     = "^[a-z]+$"
@@ -316,8 +319,9 @@ resource "bytebase_policy" "sql_review" {
   sql_review_policy {
     title = "SQL Review Policy for Test environment"
     rules {
-      type  = "column.comment"
-      level = "WARNING"
+      type   = "column.comment"
+      level  = "WARNING"
+      engine = "MYSQL"
       payload {
         max_length = 99
         required   = true
@@ -350,8 +354,9 @@ resource "bytebase_policy" "sql_review" {
   sql_review_policy {
     title = "SQL Review Policy for Test environment"
     rules {
-      type  = "column.auto-increment-initial-value"
-      level = "WARNING"
+      type   = "column.auto-increment-initial-value"
+      level  = "WARNING"
+      engine = "MYSQL"
       payload {
         number = 1
       }
@@ -382,8 +387,9 @@ resource "bytebase_policy" "sql_review" {
   sql_review_policy {
     title = "SQL Review Policy for Test environment"
     rules {
-      type  = "column.required"
-      level = "WARNING"
+      type   = "column.required"
+      level  = "WARNING"
+      engine = "MYSQL"
       payload {
         list = ["id", "created_ts", "updated_ts"]
       }
diff --git a/examples/environments/main.tf b/examples/environments/main.tf
@@ -2,7 +2,7 @@
 terraform {
   required_providers {
     bytebase = {
-      version = "0.0.7-alpha.6"
+      version = "0.0.7-alpha.7"
       # For local development, please use "terraform.local/bytebase/bytebase" instead
       source = "registry.terraform.io/bytebase/bytebase"
     }
diff --git a/examples/instances/main.tf b/examples/instances/main.tf
@@ -2,7 +2,7 @@
 terraform {
   required_providers {
     bytebase = {
-      version = "0.0.7-alpha.6"
+      version = "0.0.7-alpha.7"
       # For local development, please use "terraform.local/bytebase/bytebase" instead
       source = "registry.terraform.io/bytebase/bytebase"
     }
diff --git a/examples/policies/main.tf b/examples/policies/main.tf
@@ -2,7 +2,7 @@
 terraform {
   required_providers {
     bytebase = {
-      version = "0.0.7-alpha.6"
+      version = "0.0.7-alpha.7"
       # For local development, please use "terraform.local/bytebase/bytebase" instead
       source = "registry.terraform.io/bytebase/bytebase"
     }
diff --git a/examples/roles/main.tf b/examples/roles/main.tf
@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     bytebase = {
-      version = "0.0.7-alpha.6"
+      version = "0.0.7-alpha.7"
       # For local development, please use "terraform.local/bytebase/bytebase" instead
       source = "registry.terraform.io/bytebase/bytebase"
     }
diff --git a/examples/setup/main.tf b/examples/setup/main.tf
@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     bytebase = {
-      version = "0.0.7-alpha.6"
+      version = "0.0.7-alpha.7"
       # For local development, please use "terraform.local/bytebase/bytebase" instead
       source = "registry.terraform.io/bytebase/bytebase"
     }
@@ -149,47 +149,54 @@ resource "bytebase_policy" "sql_review" {
   sql_review_policy {
     title = "SQL Review Policy for Test environment"
     rules {
-      type  = "statement.select.no-select-all"
-      level = "ERROR"
+      type   = "statement.select.no-select-all"
+      level  = "ERROR"
+      engine = "MYSQL"
     }
     rules {
-      type  = "statement.where.no-leading-wildcard-like"
-      level = "DISABLED"
+      type   = "statement.where.no-leading-wildcard-like"
+      level  = "DISABLED"
+      engine = "MYSQL"
     }
     rules {
-      type  = "column.comment"
-      level = "ERROR"
+      type   = "column.comment"
+      level  = "ERROR"
+      engine = "MYSQL"
       payload {
         max_length = 99
         required   = true
       }
     }
     rules {
-      type  = "table.comment"
-      level = "WARNING"
+      type   = "table.comment"
+      level  = "WARNING"
+      engine = "MYSQL"
       payload {
         max_length = 30
         required   = false
       }
     }
     rules {
-      type  = "naming.table"
-      level = "ERROR"
+      type   = "naming.table"
+      level  = "ERROR"
+      engine = "MYSQL"
       payload {
         max_length = 99
         format     = "^[a-z]+$"
       }
     }
     rules {
-      type  = "column.required"
-      level = "WARNING"
+      type   = "column.required"
+      level  = "WARNING"
+      engine = "MYSQL"
       payload {
         list = ["id", "created_ts", "updated_ts"]
       }
     }
     rules {
-      type  = "column.auto-increment-initial-value"
-      level = "WARNING"
+      type   = "column.auto-increment-initial-value"
+      level  = "WARNING"
+      engine = "MYSQL"
       payload {
         number = 1
       }
diff --git a/provider/data_source_policy.go b/provider/data_source_policy.go
@@ -239,7 +239,7 @@ func flattenAccessControlPolicy(p *api.AccessControlPolicy) []interface{} {
 	rules := []interface{}{}
 	for _, rule := range p.DisallowRules {
 		raw := map[string]interface{}{}
-		raw["full_database"] = rule.FullDatabase
+		raw["all_databases"] = rule.FullDatabase
 		rules = append(rules, raw)
 	}
 	policy := map[string]interface{}{
@@ -254,6 +254,7 @@ func flattenSQLReviewPolicy(p *api.SQLReviewPolicy) ([]interface{}, error) {
 		raw := map[string]interface{}{}
 		raw["type"] = rule.Type
 		raw["level"] = rule.Level
+		raw["engine"] = rule.Engine
 
 		payload, err := unamrshalSQLReviewRulePayload(rule.Type, rule.Payload)
 		if err != nil {
@@ -425,7 +426,7 @@ func getAccessControlPolicy(computed bool) *schema.Schema {
 					Type:     schema.TypeList,
 					Elem: &schema.Resource{
 						Schema: map[string]*schema.Schema{
-							"full_database": {
+							"all_databases": {
 								Type:     schema.TypeBool,
 								Computed: computed,
 								Optional: true,
@@ -525,6 +526,17 @@ func getSQLReviewPolicy(computed bool) *schema.Schema {
 									string(api.SQLReviewRuleLevelDisabled),
 								}, false),
 							},
+							"engine": {
+								Type:     schema.TypeString,
+								Computed: computed,
+								Optional: true,
+								ValidateFunc: validation.StringInSlice([]string{
+									string(api.EngineTypeMySQL),
+									string(api.EngineTypePostgres),
+									string(api.EngineTypeTiDB),
+								}, false),
+								Description: "The engine for this rule.",
+							},
 							"payload": {
 								Computed: computed,
 								Type:     schema.TypeList,
diff --git a/provider/resource_policy.go b/provider/resource_policy.go

Original file line number	Diff line number	Diff line change
`@@ -156,5 +156,6 @@ type NumberTypeRulePayload struct {`
`156`	`156`	`type SQLReviewRule struct {`
`157`	`157`	Type SQLReviewRuleType `json:"type"`
`158`	`158`	Level SQLReviewRuleLevel `json:"level"`
	`159`	+ Engine EngineType `json:"engine"`
`159`	`160`	Payload string `json:"payload"`
`160`	`161`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@`
`2`	`2`	`terraform {`
`3`	`3`	`required_providers {`
`4`	`4`	`bytebase = {`
`5`		`- version = "0.0.7-alpha.6"`
	`5`	`+ version = "0.0.7-alpha.7"`
`6`	`6`	`# For local development, please use "terraform.local/bytebase/bytebase" instead`
`7`	`7`	`source = "registry.terraform.io/bytebase/bytebase"`
`8`	`8`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`terraform {`
`2`	`2`	`required_providers {`
`3`	`3`	`bytebase = {`
`4`		`- version = "0.0.7-alpha.6"`
	`4`	`+ version = "0.0.7-alpha.7"`
`5`	`5`	`# For local development, please use "terraform.local/bytebase/bytebase" instead`
`6`	`6`	`source = "registry.terraform.io/bytebase/bytebase"`
`7`	`7`	`}`